Payload
The payload structure is an associated data type of all the event variants. Each variant has a specific set of fields, explained in the following lines.
Network
Network related events.
Bind
Generated by OS binding events.
| Field name | Type | Description |
|---|---|---|
address | Host | Ip and port |
is_tcp | bool | Indicates a TCP connection |
Listen
Generated when a process starts to listen for connections.
| Field name | Type | Description |
|---|---|---|
address | Host | Ip and port |
Connect
Generated when a process starts a connection.
| Field name | Type | Description |
|---|---|---|
address | Host | Ip and port |
is_tcp | bool | Indicates a TCP connection |
Accept
Generated when a process accept a connection.
| Field name | Type | Description |
|---|---|---|
source | Host | Ip and port of the source |
destination | Host | Ip and port of the destination |
Close
Generated by a closed connection.
| Field name | Type | Description |
|---|---|---|
source | Host | Ip and port of the source |
destination | Host | Ip and port of the destination |
Receive
Generated when a process receive packets.
| Field name | Type | Description |
|---|---|---|
source | Host | Ip and port of the source |
destination | Host | Ip and port of the destination |
len | usize | Length of the packet |
is_tcp | bool | Indicates a TCP connection |
Send
Generated when a process sends packets.
| Field name | Type | Description |
|---|---|---|
source | Host | Ip and port of the source |
destination | Host | Ip and port of the destination |
len | usize | Length of the packet |
is_tcp | bool | Indicates a TCP connection |
DnsQuery
Generated on DNS queries.
| Field name | Type | Description |
|---|---|---|
questions | Vec<DnsQuestion> | List of DNS questions |
DnsResponse
Generated on DNS responses.
| Field name | Type | Description |
|---|---|---|
questions | Vec<DnsQuestion> | List of DNS questions |
answers | Vec<Vec<DnsAnswer> | List of DNS answers |
Process
Process related events.
Fork
Genrated on a process fork.
| Field name | Type | Description |
|---|---|---|
ppid | i32 | Parent pid of the process |
Exec
Genrated on a process exec.
| Field name | Type | Description |
|---|---|---|
filename | String | Path of the file |
argc | usize | Number of arguments passed to the executable |
argv | Vec<String> | List of arguments passed to the executable |
Exit
Genrated on a process exit.
| Field name | Type | Description |
|---|---|---|
exit_code | u32 | Exit code of the executable |
File system
File system related events.
FileCreated
Generated on file creation.
| Field name | Type | Description |
|---|---|---|
filename | String | Path of the file |
FileDeleted
Generated on file deletion.
| Field name | Type | Description |
|---|---|---|
filename | String | Path of the file |
DirCreated
Generated on directory creation.
| Field name | Type | Description |
|---|---|---|
dirname | String | Path of the directory |
DirDeleted
Generated on directory deletion.
| Field name | Type | Description |
|---|---|---|
dirname | String | Path of the directory |
FileOpened
Generated when a process opens a file.
| Field name | Type | Description |
|---|---|---|
filename | String | Path of the file |
flags | FileFlags | Open flags |
FileLink
Generated on symlink creation.
| Field name | Type | Description |
|---|---|---|
source | String | Source of the link |
destination | String | Destination of the link |
hard_link | bool | Indicates if it's an hard link |
FileRename
Generated when a file is renamed.
| Field name | Type | Description |
|---|---|---|
source | String | Source of the file |
destination | String | Destination of the file |
ElfOpened
Generated when an executable is opened.
| Field name | Type | Description |
|---|---|---|
filename | String | Path of the file |
flags | FileFlags | Open flags |
Threat
Threat related events.
RuleEngineDetection
Generated by the rule engine module on a matched rule.
| Field name | Type | Description |
|---|---|---|
rule_name | String | Name of the matched rule |
payload | Box<Payload> | Original event |